Displaying 20 results from an estimated 11000 matches similar to: "a story of compromise and an idea"
2013 May 24
5
Utility to scan for unpassworded SSH privkeys?
Hey all,
Let's make an assumption:
1) I am a root user on a system.
2) I don't want said system being used as a jumping-off point if either a
user account or the root account is compromised.
Given an unencrypted private key, plus a known_hosts file, plus
bash_history, it's a pretty easy avenue of attack once you're in the front
door. And it's happened before*.
Thus,
2009 Sep 07
6
Question about Server Authentication
Hi guys,
I'm working on a project which concern SSH and there is something i don't understand about server authentication. So I explain my problem:
- When you authorize only RSA keys in the sshd_config on the server, you need to have the RSA public key of this server in the known_hosts file of the client. This is absolutely normal.
- When you authorize only DSA keys in the sshd_config
2024 Oct 14
2
[RFC] Preferentially TOFU certificate authorities rather than host keys
There's currently no way to express trust for an SSH certificate CA other
than by manually adding it to known_hosts. This patch modifies the automatic
key write-out behaviour on user verification to associate the hostname with
the CA rather than the host key, allowing environments making use of
certificates to update (potentially compromised) host keys without needing
to modify client
2013 May 24
1
Utility to scan for unpassworded SSH privkeys?
I like to retain some semblance of optimism for humanity, and so I'm just going to hope that this assertion is false. I have to hope that there is at least a large minority of people who correctly use ssh-agent for the suppression of password prompting, and protect their private keys with passwords.?
-------- Original message --------
From: Dan Kaminsky <dan at doxpara.com>
Date:
2005 May 18
3
known_hosts vulnerability?
Hey all,
I came across a security news article, referenced by
http://www.linux.org/news, at
http://www.techworld.com/security/news/index.cfm?NewsID=3668
talking about an SSH weakness involving the known_hosts file. I
apologize if this issue has already been addressed, but the mailing list
archives didn't turn up anything when i tried searching for something
relevant. So; not to knee-jerk or
2008 May 13
4
Trick user to send private key password to compromised host
Hi list,
I do not known, if this is really an issue but i noticed that when
connecting to a remote ssh host with the standard linux openssh client
using a private key, that there is no line of text indicating when the
local key-passwd process was completed and the connection session was
established.
On a compromised host, the login shell could write the line 'Enter
passphrase for key
2004 Feb 03
0
Re: Possible compromise ?
Yeah but if you are uncertain about your own box my VERY STRONG advise
is that you reinstall. IF your host is indeed owned, then you are a lot
further away then just reinstalling, god knows what issues can arrise
when a cracker exploits the system to do bogus tasks..
Then i say: Too bad for your time, sorry but it's like that
--
Kind regards,
Remko Lodder
Elvandar.org/DSINet.org
2000 Mar 18
2
Keysize mismatch error on host key
I've got a problem that I'm hoping the list can help with, otherwise ...
Heres the problem, I've got OpenSSH 1.2.2p1 running on my Intel Linux
box as the secure server. I can connect from another Intel Linux box
using scp and it all seems to work fine.
Another box tries to connect and it gets a warning about the host
keysize not matching. I'm thinking this could be some byte
2023 Oct 10
17
[Bug 3627] New: openssh 9.4p1 does not see RSA keys in know_hosts file.
https://bugzilla.mindrot.org/show_bug.cgi?id=3627
Bug ID: 3627
Summary: openssh 9.4p1 does not see RSA keys in know_hosts
file.
Product: Portable OpenSSH
Version: 9.4p1
Hardware: SPARC
OS: Solaris
Status: NEW
Severity: major
Priority: P5
Component: ssh
2004 Feb 03
1
Re: Possible compromise ?
that only works when you are presuming that the host was not hacked already
because i would clear those logs when i hacked a system :)
but indeed it's a try,
If you remain unsure, it is best to reinstall the system to be sure that a
fresh
and newly updated (yeah update it when installed :)) system is not
compromised at that
time..
loads of work, but it gives you some relief to know that
2017 Jan 28
3
known_hosts question for Ubuntu Server 14.04 and 16.04 LTS
Hello & thanks for reading.
I'm having a problem configuring known_hosts from scripts so an accept
key yes/no prompt doesn't appear.
I'm using this command to detect if the server is known and add it to
known_hosts:
if ! ssh-keygen -F ${IP_ADDR} -f ~/.ssh/known_hosts > /dev/null 2>&1; t
hen ssh-keyscan -p ${PORT} ${IP_ADDR} >> ~/.ssh/known_hosts; fi
This works
2017 May 16
2
Golang CertChecker hostname validation differs to OpenSSH
On Wed, May 17, 2017 at 2:46 AM, Damien Miller <djm at mindrot.org> wrote:
> On Mon, 15 May 2017, Adam Eijdenberg wrote:
>> https://github.com/golang/go/issues/20273
>>
>> By default they are looking for a principal named "host:port" inside
>> of the certificate presented by the server, instead of just looking
>> for the host as I believe OpenSSH
2011 Oct 15
4
Thoughts regarding the database compromise....
1] not using secure http for log-ins seems a bit 20th century.
2] to join this mailing list, I needed to send my new credentials over unsecured http - see 1] above.
3] to change password from the compromised reset password, I need to use unsecured http - see 1] above.
My point here is that if you are saddened, upset or concerned about the compromise, might the 3 above points also be on the list
2016 Apr 28
1
Centos hold me back from work - sshd ...bull
Valeri Galtsev wrote:
>
> On Thu, April 28, 2016 8:56 am, mdubendris at gmail.com wrote:
>> The problem is not with your installation of CentOS, it is with the
>> computer you are connecting from. Read the error log you pasted earlier,
>> it tells you exactly what the problem is and how to remedy it:
>>>
>>> Add correct host key in
2015 Apr 22
2
shared private key
Hi SSH-devs,
This may be a bit off topic for this list, but....
Would it be ok to share a private key in an installer script so long
as the corresponding public key is setup like this...
command="cat ~/.ssh/id_rsa.pub" ssh-rsa AAAA...
I'm looking for a secure way to get a user to share their public key
through SSH which can be invoked from an installer on another
host...for
2001 Jan 03
1
OpenSSH 2.3 on Tru Unix: Problems
Hi,
I try to get OpenSSH working on Compaq's Tru64 Unix (alias Digital Unix)
Version 5.1.
It compiles smootly with OpenSSL-0.9.6, but I observer some odd things.
(A) AS SERVER
The authenification via .ssh/known_host doesn't work.
I have the same sshd_config as on FreeBSD (OpenSSH 2.2.0), where it works.
sshd -d -d:
-----------
debug1: sshd version OpenSSH_2.3.0p1
...
RSA key generation
2008 Dec 10
1
DSA harmful for remote authentication to compromised hosts?
Hello!
I'd just like to run this by some people who are more familiar with
the RSA and DSA algorithms and their use within (Open)SSH.
I've been using OpenSSH happily with the assumption that using key-based
authentication (RSA or DSA public keys pushed to .ssh/authorized_keys on
remote hosts) provides a number of benefits, including an important
security-related one -- Logging in to a
2009 Mar 19
2
ssh - alternate ports, and host verification
I have a centos box that will need to ssh into 2 other centos boxes
(with keys). Now one of these boxes is a firewall, and another is a
system behind the firewall. I have rules in my firewall to punch into
the system behind the FW.
Now if i connect to the IP (sine the public one is shared), anytime i
connect to the other system, I get the host verification failed error
and have to
2020 Oct 03
6
UpdateHostkeys now enabled by default
Hi,
I just fixed a couple of corner-cases relating to UpdateHostkeys in git
HEAD and have enabled the option by default. IMO this protocol extension
is important because it allows ssh clients to automatically migrate to
the best available signature algorithms available on the server and
supports our goal of deprecating RSA/SHA1 in the future.
We would really appreciate your feedback on this
2003 Aug 14
1
NOTICE: [CERT Advisory CA-2003-21 GNU Project FTP Server Compromise]
Hi All
As many may have noticed the GNU Project's FTP server had been compromised as
outlined in this CERT advisory[1].
I felt the urge to quickly hack together a small perl script to check my
distfiles against the published md5 sums from FSF.
Using this file as reference: ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc
(Check and Verify the PGP signature ![1])
[1] Full CERT advisory :